First, the introduction of Linux under the Grab Kit tool tcpdump
1. Tcpdump Introduction
Tcpdump can intercept the "head" of packets transmitted in the network and provide analysis. It supports filtering for network layers, protocols, hosts, networks, or ports, and provides logical statements such as and, or, not to help you get rid of useless information. Tcpdump is a kind of free network analysis tool, especially it provides the source code, exposes the interface, therefore has the very strong scalability, for network maintenance and intruders are very useful tools. Tcpdump exist in the basic FreeBSD system, because it needs to set the network interface to promiscuous mode, ordinary users can not perform normally, but the user with root permission to execute it directly to obtain information on the network. Therefore, the existence of network analysis tools in the system is not primarily a threat to native security, but to the security of other computers on the network.
We define tcpdump in as simple a way as possible: Dump the Traffice on anetwork. The packet analysis tool that intercepts packets on the network according to the user's definition. As the classic system administrator essential tool on the Internet, tcpdump is one of the necessary things for every senior system administrator to analyze the network and troubleshoot problems with its powerful function and flexible interception strategy. Tcpdump provides source code, exposes interfaces, and is highly scalable, and is a useful tool for network maintenance and intruders. Tcpdump exist in the basic FreeBSD system, because it needs to set the network interface to promiscuous mode, ordinary users can not perform normally, but the user with root permission to execute it directly to obtain information on the network. Therefore, the existence of network analysis tools in the system is not primarily a threat to native security, but to the security of other computers on the network.
2. Use of tcpdump
Under normal circumstances, direct start tcpdump will monitor all packets flowing through the first network interface.
# tcpdump
Tcpdump:listening on Fxp0
11:58:47.873028 202.102.245.40.netbios-ns > 202.102.245.127.NETBIOS-NS:UDP 50
11:58:47.974331 0:10:7b:8:3a:56 > 1:80:c2:0:0:0 802.1D ui/c len=43
0000 0000 0080 0000 1007 cf08 0900 0000
0e80 0000 902b 4695 0980 8701 0014 0002
000f 0000 902b 4695 0008 00
11:58:48.373134 0:0:e8:5b:6d:85 > Broadcast SAP E0 ui/c len=97
FFFF 0060 0004 ffff ffff ffff FFFF FFFF
0452 ffff ffff 0000 e85b 6d85 4008 0002
0640 4d41 5354 4552 5f57 4542 0000 0000
0000 00
Tcpdump supports quite a number of different parameters, such as using the-I parameter to specify the network interface for tcpdump listening, which is useful when the computer has more than one network interface, specifying the number of packets to listen on by using the-c parameter, specifying the packets to be stored in the file with the-w parameter, etc.
However, the more complex tcpdump parameters are used for filtering purposes, because the network traffic is very large, if you do not distinguish all the packets are trapped, the amount of data is too large, it is not easy to find the required packets. The filtering rules defined by these parameters can be used to intercept specific packets in order to narrow the target to better analyze the problems in the network. Tcpdump uses parameters to specify the type, address, port, etc. of the packet to be monitored, and according to the specific network problems, the full use of these filtering rules can achieve the goal of rapid location failure. Use the man tcpdump to see the specific usage of these filtering rules.
Obviously for the sake of safety, the network analysis software should not be run on a computer that does not use network management, in order to block them, the Bpfilter pseudo device in the kernel can be shielded. In general, network hardware and TCP/IP stacks do not support receiving or sending packets that are not related to this computer, and in order to receive these packets, you must use the promiscuous mode of the network adapter and bypass the standard TCP/IP stack. Under FreeBSD, this requires the kernel to support pseudo device Bpfilter. Therefore, in the kernel to remove bpfilter support, you can screen tcpdump and other network analysis tools.
And when the NIC is set to promiscuous mode, the system leaves a record in the console and log file to remind the Administrator whether the system is used as a springboard for attacking other computers on the same network.
May 16:27:20 host1/kernel:fxp0:promiscuous mode enabled
Although the network analysis tool can record the data transmitted in the network, but the data traffic in the network is quite large, how to analyze the data, classify the statistics, discover and report the errors is a more critical problem. Packets in a network belong to different protocols, and different protocol packets have different formats. Thus decoding the captured data and displaying the information in the package as much as possible is more important to the Protocol analysis tool. The advantage of expensive Business analytics tools is that they support many kinds of application layer protocols, not just low-level protocols such as TCP and UDP.
From the above tcpdump output can be seen, tcpdump to intercept the data has not been thoroughly decoded, most of the content in the packet is in the form of hexadecimal direct printout. Obviously this is not conducive to the analysis of network failures, the usual solution is to use the tcpdump with the-w parameter to intercept the data and save to the file, and then use other programs for decoding analysis. Of course, filter rules should also be defined to avoid the capture of packets filling the entire hard disk. FreeBSD provides a valid decoder for tcpshow, which can be installed through Packages collection.
# pkg_add/cdrom/packages/security/tcpshow*
# tcpdump-c 3-w tcpdump.out
Tcpdump:listening on Fxp0
# Tcpshow < Tcpdump.out
---------------------------------------------------------------------------
Packet 1
time:12:00:59.984829
link:00:10:7b:08:3a:56-> 01:80:c2:00:00:00 type=0026
<*** No decode support for encapsulated protocol ***>
---------------------------------------------------------------------------
Packet 2
time:12:01:01.074513 (1.089684)
LINK:00:A0:C9:AB:3C:DF-> FF:FF:FF:FF:FF:FF Type=arp
Arp:htype=ethernet Ptype=ip hlen=6 plen=4 op=request
SENDER-MAC-ADDR=00:A0:C9:AB:3C:DF sender-ip-address=202.102.245.3
target-mac-addr=00:00:00:00:00:00 target-ip-address=202.102.245.3
---------------------------------------------------------------------------
Packet 3
time:12:01:01.985023 (0.910510)
link:00:10:7b:08:3a:56-> 01:80:c2:00:00:00 type=0026
<*** No decode support for encapsulated protocol ***>
Tcpshow can decode packets in different ways and display decoded data in different ways, and users can select the most appropriate parameters according to their manuals to analyze the intercepted packets. As can be seen from the example above, Tcpshow supports protocols that are not rich and cannot be decoded for protocols that it does not support.
In addition to Tcpdump, the FreeBSD packagescollecion provides ethereal and sniffit two network analysis tools, as well as other security tools based on network analysis. The ethereal, which runs under X window, has a nice graphical interface, sniffit using character windows and is also easy to operate. However, because tcpdump is more capable of supporting filtering rules, system administrators still prefer to use it. For experienced network administrators, the use of these network analysis tools can not only be used to understand how the network is running, where the fault occurs, but also for effective statistical work, such as the amount of traffic generated by that protocol is the main position, the host is the busiest, where the network bottlenecks and so on. Therefore, network analysis tool is a valuable system tool for network management. In order to prevent the data from being abused by the network analysis tool interception, the key is to solve the network physical structure. The common approach is to separate the trust network from the untrusted network using a switch or network bridge to prevent the external network segment from eavesdropping on the internal data transmission, but still can not solve the internal network and the external network communication between the security problems. If you do not have sufficient funds to upgrade a shared hub on your network to an Ethernet switch, you can use the FreeBSD system to perform the Network Bridge task. This requires you to redefine the kernel using the option Bridge compilation options, and then use the Bridges command to start the bridging function.
Tcpdump takes the command line, and its command format is:
tcpdump [-ADEFLNNOPQSTVX] [-C Quantity] [-f filename]
[-I Network interface] [-R FileName] [-S Snaplen]
[-T type] [-W filename] [Expression]
(1). Introduction to Tcpdump Options
-A converts the network address and broadcast address into a name;
-D gives the code of the matching packet in an assembly format that people can understand;
-DD the code of the matching packet in the format of the C language program;
-DDD the code of the matching packet is given in decimal form;
-e Prints the header information of the data link layer on the output line;
-F prints out the external Internet address in digital form;
-L changes the standard output to a buffer row form;
-N does not convert the network address into a name;
-T print timestamp on each line of output;
-V output A slightly detailed information, such as the TTL and service type information in an IP packet;
-VV output detailed message information;
-C The tcpdump will stop after receiving the specified number of packages;
-F reads the expression from the specified file, ignoring the other expressions;
-i specifies the network interface for listening;
-R reads packages from the specified file (these packages are typically generated by the-w option);
-W directly writes the package to the file and does not parse and print it;
-T interprets packets that are heard directly as a specified type of message, typically with RPC (remote Procedure Call) and SNMP (Simple Network Management Protocol;)
(2). Introduction to Tcpdump expressions
An expression is a regular expression that is used by tcpdump as a condition for filtering packets, and if a message satisfies the condition of the expression, the message is captured. If no conditions are given, all packets on the network will be intercepted. In an expression, there are several types of keywords in general.
The first is about the type of keywords, mainly including host,net,port, such as host 210.27.48.2, indicating that 210.27.48.2 is a host, net 202.0.0.0 indicates that 202.0.0.0 is a network address, port 23 indicates that the port number is 23. If no type is specified, the default type is host.
The second is to determine the direction of the transfer of keywords, mainly including SRC, DST, DST or SRC, DST and src, these keywords indicate the direction of the transfer. For example, SRC 210.27.48.2, indicating that the source address in the IP packet is 210.27.48.2, DST net202.0.0.0 indicates the destination network address is 202.0.0.0. If the direction key is not indicated, the SRC or DST keyword is the default.
The third is the key word of the protocol, mainly including FDDI,IP,ARP,RARP,TCP,UDP type. FDDI indicates a specific network protocol on FDDI (Distributed Optical Data Interface Network), in effect it is the alias of "Ether", FDDI and Ether have similar source address and destination address, so the FDDI protocol package can be treated and analyzed as ether package. Several other keywords refer to the protocol content of the packet being monitored. If no protocol is specified, tcpdump will listen for packets of all protocols.
In addition to these three types of keywords, other important keywords are as follows: Gateway,broadcast,less,greater, there are three kinds of logical operations, the negation is ' not '! ', with the operation is ' and ', ' && ', or the operation is ' or ', ' ││ '; These keywords can be combined to form a powerful combination of conditions to meet people's needs, here are a few examples to illustrate.
A wants to intercept all packets received and sent by all 210.27.48.1 hosts:
#tcpdump Host 210.27.48.1
b want to intercept the communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3, using the command: (be sure to add ' \ ' when using parentheses in the command line)
#tcpdump host 210.27.48.1 and \ (210.27.48.2 or 210.27.48.3 \)
c If you want to get host 210.27.48.1 IP packets that communicate with all hosts except the host 210.27.48.2, use the command:
#tcpdump IP host 210.27.48.1 and! 210.27.48.2
D If you want to obtain a Telnet package received or issued by the host 210.27.48.1, use the following command:
#tcpdump TCP Port Host 210.27.48.1
E monitors UDP 123 ports on this computer 123 for NTP service ports
# tcpdump UDP port 123
The F system will only monitor traffic packets for hosts named hostname. The host name can be either a local host or any computer on the network. The following command can read all the data sent by the host hostname:
#tcpdump-i eth0 SRC host hostname
G The following command can monitor all packets sent to the host hostname:
#tcpdump-I eth0 DST host hostname
H we can also monitor packets through a specified gateway:
#tcpdump-I eth0 Gateway Gatewayname
If you also want to monitor TCP or UDP packets that address the specified port, execute the following command:
#tcpdump-I eth0 host hostname and port 80
J if you want to obtain a host 210.27.48.1 IP packets that communicate with all hosts except the host 210.27.48.2, use the command:
#tcpdump IP host 210.27.48.1 and! 210.27.48.2
K wants to intercept the communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3, using commands:
#tcpdump host 210.27.48.1 and \ (210.27.48.2 or 210.27.48.3 \)
L If you want to get the host 210.27.48.1 IP packets that communicate with all hosts except the host 210.27.48.2, use the command:
#tcpdump IP host 210.27.48.1 and! 210.27.48.2
M if you want to obtain a telnet package that the host 210.27.48.1 receives or emits, use the following command:
#tcpdump TCP Port Host 210.27.48.1
(3). Tcpdump output of the paper
Here we introduce the output information of several typical tcpdump commands
A, Data link layer header information
Using commands: #tcpdump--E host Ice
Ice is a mainframe with Linux, and her MAC address is 0:90:27:58:af:1a.
H219 is a sun workstation with Solaric, and its MAC address is 8:0:20:79:5b:46; the output from the previous command looks like this:
21:50:12.847509 eth0 < 8:0:20:79:5b:46 0:90:27:58:af:1a IP 60:h219.33357 > Ice.telne
T 0:0 (0) Ack 22535 win 8760 (DF)
Analysis: 21:50:12 is the display of the time, 847509 is the ID number, eth0 < representation from the network interface eth0 accept the packet,eth0> means to send packets from the network interface device, 8:0:20:79:5B:46 is the host H219 MAC address, It indicates a packet sent from the source address H219.0:90:27:58:AF:1A is the MAC address of the host ice, indicating that the destination of the packet is ice. IP is to indicate that the packet is an IP packet, 60 is the length of the packet, h219.33357 > ice.telnet indicates that the packet is sent from the host H219 33357 port to the host ice Telnet (23) port. Ack 22535 indicates a response to a packet with a serial number of 222535. Win 8760 indicates that the size of the Send window is 8760.
tcpdump output information for B,ARP packages
Using commands: #tcpdump ARP
The resulting output is:
22:32:42.802509 eth0 > arp who-has route tell Ice (0:90:27:58:AF:1A)
22:32:42.802902 Eth0 < ARP reply route is-at 0:90:27:12:10:66 (0:90:27:58:AF:1A)
Analysis: 22:32:42 is the timestamp, 802509 is the ID number, eth0 > indicates that the packet from the host, ARP indicates that the ARP Request packet, Who-has route tell Ice is the host Ice request host Route MAC address. 0:90:27:58:AF:1A is the MAC address of the host ice.
Output information for C,TCP packages
The general output information for TCP packets captured with Tcpdump is:
src > Dst:flags data-seqno ack window urgent options
Src> DST: Indicates that from the source address to the destination address, flags is the flag information in the TCP packet, S is the SYN flag, F (FIN), P (PUSH), R (RST) "." (without marking); The data-seqno is the ordinal number of the data in the packet, the ACK is the next expected Sequence number, window is the size of the Windows receiving the cache, and urgent indicates whether there is an emergency pointer in the packet. Options is an option.
Output information for D,UDP packages
The general output information for UDP packets captured with Tcpdump is:
Route.port1 > Ice.port2:udp lenth
UDP is very simple, the output line above indicates a UDP packet sent from the PORT1 port of the host route to the PORT2 port of the host ice, the type is UDP, and the length of the packet is Lenth
3. Auxiliary Tools
(1) Want to see TCP or UDP port usage, use NETSTAT-ANP
If some processes are invisible, such as only "-", you can try
sudo netstat-anp
If you want to see information about a port, use the lsof command, such as:
sudo lsof-i: 631
-bash-3.00# netstat-tln
The NETSTAT-TLN command is used to view the port usage of Linux
/etc/init.d/vsftp start is used to start the FTP port ~!
Look at the file/etc/services
Netstat
View the service ports that are already connected (established)
Netstat-a
View all service ports (listen,established)
sudo netstat-ap
View all service ports and display the corresponding service program name
Nmap Scan type >< scan parameters
For example:
Nmap localhost
Nmap-p 1024-65535 localhost
Nmap-pt 192.168.1.127-245
When we look at a network connection using NETSTAT-APN, we find a lot of things like the following:
Proto recv-q Send-q Local address Foreign address State Pid/program Name
TCP 0 218.104.81.152:7710 211.100.39.250:29488 established 6111/1
Shows that this server is open to Port 7710, so which program does this port belong to? We can use the Lsof-i: 7710 command to query:
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
SSHD 1990 Root 3u IPv4 4836 TCP *:7710 (LISTEN)
In this way, we know that 7710 ports belong to the SSHD program.
(2) error message exclusion for running tcpdump command
Tcpdump:no suitable device found
Tcpdump:no devices found/dev/bpf4:a file or directory in the path name does not exist.
2 Reasons for the solution:
1. Insufficient authority, generally not processed, only use root user tcpdump
2. The default can only be used at the same time 4 tcpdump, if used up, then reported such errors. Need to stop the extra tcpdump.
Second, under the Linux grasping the package tool tcpdump application case
Tcpdump can not only handle daily network-related problems, but also can be used to analyze database problems for database tuning
Case 1: The client (192.168.15.14) is suddenly unable to access the SQL Server database (192.168.15.14)
The 1,windows end uses the Wireshark capture message, through the message display, the SQL Server has received the ACK request, and has confirmed the related request (ack=1), but the client does not have to confirm the request
10:51:21.102439 IP (Tos 0x10, TTL, id 45670, offset 0, flags [DF], length:44) yytlc.50162 > 192.168.15.14.ms-sql-s: S [TCP sum ok]616881461:616881461 (0) win 65535 <mss 1460>
10:51:23.750271 IP (Tos 0x10, TTL, id 45768, offset 0, flags [DF], length:44) yytlc.50162 > 192.168.15.14.ms-sql-s: S [TCP sum ok]616881461:616881461 (0) win 65535 <mss 1460>
10:51:29.943904 IP (Tos 0x10, TTL, id 45971, offset 0, flags [none], length:44) yytlc.50162 > 192.168.15.14.ms-sql- s:s [TCP sum ok]616881461:616881461 (0) win 65535 <mss 1460>
10:51:42.045897 IP (Tos 0x10, TTL, id 46849, offset 0, flags [none], length:44) yytlc.50162 > 192.168.15.14.ms-sql- s:s [TCP sum ok]616881461:616881461 (0) win 65535 <mss 1460>
14309 23.459236000 192.168.1.219 192.168.15.14 TCP 50162 > ms-sql-s [SYN] seq=0 win=65535len=0 mss=1460
14310 23.459330000 192.168.15.14 192.168.1.219 TCP ms-sql-s > 50162 [SYN, ACK] seq=0 ack=1win=8192 mss=1460
2, why the package did not receive, use the trace command to see
c:\users\administrator>tracert192.168.1.219
Tracks to 192.168.1.219 route through up to 30 hops
1 1 ms 1 ms 1 ms 192.168.15.30
2 <1 millisecond <1 millisecond <1 millisecond 192.168.15.36
3 1 ms 1 ms 1 ms 192.168.208.106
4 1 ms 1 ms 1 ms 192.168.215.137
5 1 ms 1 ms 1 ms 192.168.212.245
6 1 ms <1 millisecond <1 Ms 192.168.212.246
7 1 ms 1 ms 1 ms 192.168.212.241
8 1 ms 1 ms 1 ms 192.168.248.241
9 1 ms 1 ms 1 ms 192.168.249.98
2ms 5 ms 1 ms 192.168.1.219
Trace Complete.
3,linux Trace found impassability, and the database received the requested packet, but also sent the packet back, but the client did not receive a return packet, indicating that the back of the packet lost on the road. The basic judgment is routing problem.
Yytlc:/#>traceroute 192.168.15.14
Trying to get source for 192.168.15.14
Source should be 192.168.1.219
Traceroute to 192.168.15.14 (192.168.15.14) from 192.168.1.219 (192.168.1.219), hops max
Outgoing MTU = 1500
1 192.168.1.217 (192.168.1.217) 4ms 2 ms 6 ms
2 192.168.47.220 (192.168.47.220) 0ms 1 ms 6 ms
3 192.168.253.41 (192.168.253.41) 8ms 8 ms 8 ms
4 * * *
5 * * *
6 * * *
........
Trace routing When the result of the grab packet is
12:08:49.834285 IP yytlc.61860 >192.168.15.14.33456:udp 1472
12:08:55.834091 IP yytlc.61860 >192.168.15.14.33457:udp 1472
12:09:00.835624 IP yytlc.61860 >192.168.15.14.33458:udp 1472
At this point, the results of the Windows End Wireshark Grab packet show that a UDP request has been received
11539 47.422984000 192.168.1.219 192.168.15.14 UDP 1514 Source port:61860 destination port:33457
4, only network expert assistance, Junper router routing problems, resulting in the packet can not be delivered correctly.
Case 2:sqlplus Client cannot connect to Oracle database problem, connection times wrong ORA-12537
Symptom: Connection Error
[Oracle@localhost ~]$ Sqlplus u/p@smpdb
Sql*plus:release 11.2.0.2.0 Production on Monday November 25 14:32:452013
Copyright (c) 1982, Oracle. All rights reserved.
ERROR:
Ora-12537:tns: Connection closed
Client Grab Bag: received the back packet, but the connection was closed
[Root@localhost ~]# tcpdump-i eth0 host 192.168.3.220
Tcpdump:verbose output suppressed, USE-VOR-VV for full protocol decode
Listening on eth0, Link-type EN10MB (Ethernet), capture size bytes
16:48:07.048525 IP 192.168.1.45.38405 >192.168.3.220.ncube-lm:s 2870102332:2870102332 (0) win 5840 <mss1460, Sackok,timestamp 443389148 0,nop,wscale 7>
16:48:07.048872 IP 192.168.3.220.ncube-lm> 192.168.1.45.38405:s 2343325666:2343325666 (0) Ack 2870102333 win 65535 <mss 1460,nop,wscale 3,sackok,timestamp 32985 443389148>
16:48:07.048882 IP 192.168.1.45.38405 >192.168.3.220.ncube-lm:. Ack 1 win <nop,nop,timestamp 44338914932985>
16:48:07.049044 IP 192.168.1.45.38405 >192.168.3.220.ncube-lm:p 1:225 (224) Ack 1 win-<NOP,NOP, timestamp443389149 32985>
16:48:07.049145 IP 192.168.3.220.ncube-lm> 192.168.1.45.38405:. ACK win 8298 <nop,nop,timestamp 32986443389149>
16:49:07.370802 IP 192.168.3.220.ncube-lm> 192.168.1.45.38405:f 1:1 (0) ACK win 8298 <nop,nop,timestamp 9298744 3389149>
16:49:07.370888 IP 192.168.1.45.38405 >192.168.3.220.ncube-lm:. Ack 2 win <nop,nop,timestamp 44344947192987>
16:49:07.371014 IP 192.168.1.45.38405 >192.168.3.220.ncube-lm:f 225:225 (0) Ack 2 win-<NOP,NOP, timestamp443449471 92987>
16:49:07.371121 IP 192.168.3.220.ncube-lm> 192.168.1.45.38405:. Ack 8297 win <nop,nop,timestamp 92987443449471>
Database server grab packet, only received packet request, but no response packets (note that the client side received a return package is contradictory, and still do not understand the specific reason)
16:53:57.176963 IP 192.168.1.45.38405 >dsapp2.ncube-lm:flags [S], seq 1170139240, Win 65535, options [MSS1380,NOP,WSC Ale 3,sackok,ts val 32986 ECR 0], length 0
16:54:00.185469 IP 192.168.1.45.38405 >dsapp2.ncube-lm:flags [S], seq 1170139240, Win 65535, options [MSS1380,NOP,WSC Ale 3,sackok,ts val 35986 ECR 0], length 0
16:54:03.396744 IP 192.168.1.45.38405 >dsapp2.ncube-lm:flags [S], seq 1170139240, Win 65535, options [MSS1380,NOP,WSC Ale 3,sackok,ts val 39186 ECR 0], length 0
16:54:06.618718 IP 192.168.1.45.38405 >dsapp2.ncube-lm:flags [S], seq 1170139240, Win 65535, options [Mss1380,sackok, EOL], length 0
16:54:09.846067 IP 192.168.1.45.38405 >dsapp2.ncube-lm:flags [S], seq 1170139240, Win 65535, options [Mss1380,sackok, EOL], length 0
16:54:13.073922 IP 192.168.1.45.38405 >dsapp2.ncube-lm:flags [S], seq 1170139240, Win 65535, options [Mss1380,sackok, EOL], length 0
16:54:19.326237 IP 192.168.1.45.38405 >dsapp2.ncube-lm:flags [S], seq 936514366, Win 65535, options [mss1380,sackok,e OL], length 0
16:54:31.603109 IP 192.168.1.45.38405 >dsapp2.ncube-lm:flags [S], seq 936514366, Win 65535, options [mss1380,sackok,e OL], length 0
16:54:55.892606 IP 192.168.1.45.38405 >dsapp2.ncube-lm:flags [S], seq 802356553, Win 65535, options [mss1380,sackok,e OL], length 0
Preliminary positioning
Now that the server has received the database package, 1521 ports, the firewall has been opened. The problem is on the database server side. No connection requests from the client were found in the Listener.log log of the server.
Final positioning:
The database server on the Iptables firewall policy, resulting in the client is not connected to the database, on the iptables to open the relevant firewall policy, access that is normal
Case 3: The FTP port does not pass after using Linux iptables
Phenomenon: FTP can connect normally, but can not transfer data
When the FTP does not pass, the data transmission uses the Ftp-data port
Root@stylog1 ~]# tcpdump-i bond0 host 192.168.9.37
Tcpdump:verbose output suppressed, use-v OR-VV for full protocol decode
Listening on bond0, Link-type EN10MB (Ethernet), capture size 65535 bytes
10:48:10.171437 IP 192.168.9.37.55460 > 192.168.5.5.ftp:flags [P.], seq 2473112340:2473112365, Ack 2946208393, win 806 4, Length 25
10:48:10.171486 IP 192.168.5.5.ftp > 192.168.9.37.55460:flags [.], ACK, win, length 0
10:51:38.397111 IP 192.168.5.5.ftp-data > 192.168.9.37.55516:flags [S], seq 2207620674, Win 14600, options [MSS 1460,s Ackok,ts Val 1965825832 ECR 0,nop,wscale 7], length 0
10:51:54.397107 IP 192.168.5.5.<span style= "color: #FF6666;" >ftp-data</span> > 192.168.9.37.55516:flags [S], seq 2207620674, Win 14600, options [MSS 1460,sackok,ts Val 1 965841832 ECR 0,nop,wscale 7], length 0
Ftp-data uses 20 ports, this port is not open firewall policy
[Root@stylog1 ~]# cat/etc/services |grep ftp-data
Ftp-data 20/tcp
Ftp-data 20/UDP
Ftp-data 20/SCTP # FTP
Kftp-data 6620/tcp # Kerberos V5 FTP data
Kftp-data 6620/udp # Kerberos V5 FTP data
Case 4: The problem of slow business access after the middleware server migrates to the cloud platform (20140331 update)
Problem Description: After the server migrated to the cloud platform, business testing business is obviously slow, 1.2 seconds before migration, 2.7 seconds to migrate to the cloud platform
As a test environment, Tcpdump was used to carry out the packet analysis, but a total of 600 SQL statements were executed when handling a transaction
TCPDUMP-A-I eth0-nn Port 15701 and DST host 10.4.1.1|grep-i Select
Tcpdump:verbose output suppressed, use-v OR-VV for full protocol decode
Listening on eth0, Link-type EN10MB (Ethernet), capture size 65535 bytes
.... @select companyimp0_.compa0_.virtualHost as virtualh5_@6_0_, companyimp0_.mx as mx6_0_,,,,,,,, Companyimp0_.logoid as logoid6_=0_ from company Companyimp0_ where companyimp0_.companyid=:1 ............................ T ... '
... @select groupimpl0_.grou10_0_, Groupimpl0_.name a@s name10_0_, Groupimpl0_.description, and so on ....... descript9_10_0_, Groupim@pl0_.type_ as type10_10_0_, groupimpl0_.typesettings as typeset1@1_10_0_, groupimpl0_. Friendlyurl as friendl12_10_0_, groupimpl0_@.active_ as active13_10_0_ from Group_ groupimpl0_ where groupim.pl0_. Groupid=:1 ............ ......... T........
...
<span style= "color: #FF0000;" >--Total 580 + SQL statements </span>
Since the system in the same network segment, a single SQL query needs 1ms, and after the migration of a firewall, need 3ms, but because there are 600 of SQL, so each business increase time 1.8s. That's why it's slow.
Note: Because it is a test environment, the method of grasping SQL can also use the trace provided by Oracle, sometimes tcpdump is also a convenient and quick way to operate on the client.
The result is almost identical with Oracle SQL Trace: 583 user SQL statements in session.
Overall totals for all recursive statements
Call count CPU Elapsed disk query current rows
------- ------ -------- ---------- ---------- ---------- ---------- ----------
Parse 19 0.00 0.00 0 0 0 0
Execute 90 0.00 0.02 0 0 0 0
Fetch 116 0.01 0.06 21 338 0 127
------- ------ -------- ---------- ---------- ---------- ---------- ----------
Total 225 0.01 0.09 21 338 0 127
Misses in library cache during parse:11
Misses in library cache during execute:11
<span style= "color: #FF0000;" ><span style= "Background-color:rgb (255, 255, 255);" > 583 User SQL statements in session.</span></span>
Internal SQL statements in session.
673 SQL Statements in session.
Summary of Tcpdump use methods
Type qualifiers are: Host, port, and net. The host is used to specify the hosts or destination addresses, port specifies the ports, and net can be used to specify a subnet. Such as:
Tcpdump ' Port 80 ' listens to 80 ports
Tcpdump ' net 192.168.1 ' listener subnet 192.168.1.0
Tcpdump ' Net 192.168.1.0/24 '
2. Logical Operators
Logical operators have and,or and not. () Multiple expressions can be grouped together.
Tcpdump ' Port and (host 192.168.1.10 or host 192.168.1.11) '
Listens for host 192.168.1.10 or 192.168.1.11 port 80.
3. Transmission Direction Qualifier
Keyword src Specify the source address, DST specifies the destination address
Tcpdump ' Port and (src 192.168.1.10 or src 192.168.1.11) '
Tcpdump ' DST port 25 '
4. Agreement qualifying Words
The packets used to capture a specific protocol are: ether (Ethernet), TCP,UDP,ICMP,IP,IP6 (IPV6), Arp,rarp (reverse ARP), and so on.
5. Primitive language
Primitives are mainly: arithmetic operators (+,-, *,/,>,<,>=,<=,!=, etc.), broadcast, Gateway, greater, less.
Broadcast captures broadcast packets, greater and less equivalent to >= and <=.
Small example:
Local 20000 port communication data capture package
Tcpdump-s 0-i Lo Port 20000-w/tmp/20000.pcap
10.8.2.181:7001 port communication Data grabbing bag
Tcpdump-i eth0-s 0 Host 10.8.2.181 and Port 7001-w/tmp/syrk.pcap